From f88c1a43bd66aa1abbafabba3b10fbdaa2ff0db9 Mon Sep 17 00:00:00 2001 From: Chris Evich Date: Tue, 6 Dec 2022 03:07:40 -0500 Subject: [PATCH] Fix volume mounts * Add note about volume-mounts being cumulative with base-image * Fix register & run labels to use (correct) base image's `/home/podman/.local/share/containers/` instead of defining a new (wrong/useless) `storage` volume. * Fix register & run labels to mask over `/var/lib/containers` with a read-only tmpfs to block any nested rootful use of podman as a security precaution. Signed-off-by: Chris Evich --- Containerfile | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/Containerfile b/Containerfile index 9771f1c..693896b 100644 --- a/Containerfile +++ b/Containerfile @@ -102,9 +102,8 @@ RUN sed -i -r \ # Runtime rootless-mode configuration USER podman -VOLUME ["/home/podman/.local/share/containers/storage/",\ - "/home/podman/.gitlab-runner/", \ - "/cache"] +# N/B: Volumes are cumulative with the base image +VOLUME ["/home/podman/.gitlab-runner/", "/cache"] WORKDIR /home/podman ENTRYPOINT ["/usr/local/bin/gitlab-runner-wrapper"] @@ -143,7 +142,7 @@ ENV CLEAN_INTERVAL="$CLEAN_INTERVAL" \ DOCKER_PRIVILEGED="$PRIVILEGED_RUNNER" # Not a real build-arg. Simply here to save lots of typing. -ARG _pm="--systemd=true --device=/dev/fuse --security-opt label=disable --user podman --volume pipglr-podman-root:/home/podman/.local/share/containers/storage --volume pipglr-config:/home/podman/.gitlab-runner -v pipglr-podman-cache:/cache -e PODMAN_RUNNER_DEBUG -e LOG_LEVEL" +ARG _pm="--systemd=true --device=/dev/fuse --security-opt label=disable --user podman --volume pipglr-podman-root:/home/podman/.local/share/containers --volume pipglr-config:/home/podman/.gitlab-runner -v pipglr-podman-cache:/cache --tmpfs /var/lib/containers,ro,size=1k -e PODMAN_RUNNER_DEBUG -e LOG_LEVEL" # These labels simply make it easier to register and execute the runner. # Define them last so they are absent should a image-build failure occur.